Interested in knowing your stalkers on Instagram? How about an app that shows you who has viewed your Instagram profile. Sounds appetizing, right? But, before you go ahead and download apps like "Who Viewed Me on Instagram" for Android or "InstaCare – Who cares with me?" for iOS, don't forget that curiosity often kills the cat. These apps have over 50K to 100K downloads which confirms how many of us are interested to have more features than what Instagram officially offers. Sad news for all the users of these two apps (and possibly many other similar apps), as a security researcher has discovered that both the above apps have been developed by Turker Bayram.
- Earlier: Bypassing Apple’s Protection Features, Zero-Day Exploit Puts All OS X Versions at Risk
Spammy apps advertising to offer more features to Instagram users
Bayram was responsible for a malicious Android and iOS app called InstaAgent that was caught in Novermber last year, stealing Instagram credentials. Fooling Google and Apple to accept his apps again, the latest two apps also do the same what InstaAgent did - they steal your Instagram password. When caught last year, Bayram had apologized saying it wasn't his intention to use post spam on users' account and that the app never stored the passwords.
"It was a terrible experience for us. Because our application has removed both mobile markets," he wrote.
But he said people who had downloaded the app should not be concerned.
"Nobody's account [was] stolen. Your password [was] never saved [to] unauthorised servers.
"But again and again we apologise... [and in the future] we must read service providers' policies carefully." BBC
The developer is back at it again and has been caught doing the same things he did with InstaAgent. David Layer-Reiss of Peppersoft has reported that both the Android and iOS apps developed by Bayram steal passwords. Once users install InstaCare for iOS or Who Viewed Me on Instragram for Android, they are asked to log in with their Instagram credentials, which are then forwarded to the attacker's server. Since the app claims to show you a list of people who viewed your profile, most users fall victim and enter their account credentials without a second thought.
Once the attacker has the credits, they use it at a later time to secretly post spam and ads, covertly using the accounts of the hacked users.
How to protect yourself
- Uninstall the apps mentioned above from your iOS or Android devices.
- Never install third-party apps claiming to offer you features that sound too delicious to resist.
- Most importantly, change the password of your Instagram account.
- And finally, enable two-factor authentication.
It is not surprising to see malicious apps on large-scale app stores like Apple's App Store and Google's Play Store. However, there should be at least some mechanism that flags the developers that have a history of posting malicious apps.
